COMPUTING IGUSA'S LOCAL ZETA FUNCTIONS OF 
UNIVARIATE POLYNOMIALS, AND LINEAR FEEDBACK 
SHIFT REGISTERS 



W. A. ZUNIGA-GALINDO 

Abstract. We give a polynomial time algorithm for computing the Igusa local 
zeta function Z(s,f) attached to a polynomial f(x) £ in one variable, 

with splitting field Q, and a prime number p. We also propose a new class 
of Linear Feedback Shift Registers based on the computation of Igusa's local 
zeta function. 



1. Introduction 

Let f(x) e Z[x], x = (xi, • ■ -,x n ) be a non-constant polynomial, and p a fixed 
prime number. We put N m (f,p) = N m (f) for the number of solutions of the 
congruence f(x) = mod p m in (Z/p m Z) n , m ^ 1, and H(t, f) for the Poincare 
series 

oo 

H(tJ) = Y i N m (f)(p- n t) m , 

m=0 

with t € C, | t |< 1, and No(f) = 1. This paper is dedicated to the computation of 
the sequence {N m (f)} m > when / is an univariate polynomial with splitting field 

Q. 

Igusa showed that the Poincare series H(t, f) admits a meromorphic continu- 
ation to the complex plane as a rational function of t |14j . |15j . In this paper we 
make a first step towards the solution of the following problem: given a polynomial 
f(x) as above, how difficult is to compute the meromorphic continuation of the 
Poincare series H(t, /)? 

The computation of the Poincare series H(t, /) is equivalent to the computation 
of Igusa's local zeta function Z(s, /), attached to / and p, defined as follows. We 
denote by Q p the field of p— adic numbers, and by Z p the ring of p— adic integers. 
For x € Q p , v p (x) denotes the p— adic order of x, and \x\ p — p~ v p( x *> its absolute 
value. The Igusa local zeta function associated to / and p is defined as follows: 

Z(sJ)= f \f(x)\ s p \dx\, seC, 

JZ," 

V 

where Re(s) > 0, and | dx | denotes the Haar measure on so normalized that 
Z" has measure 1. The following relation between Z(s,f) and H(t,f) holds (see 
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[Hj . theorem 8.2.2): 



Thus, the rationality of Z(s, /) implies the rationality of the Poincare series H (t, f), 
and the computation of H (t, /) is equivalent to the computation of Z(s, /). Igusa 
|141 theorem 8.2.1] showed that the local zeta function Z(s, /) admits a meromor- 
phic continuation to the complex plane as a rational function of p~ s . 

The first result of this paper is a polynomial time algorithm for computing the 
local zeta function Z(s,f) attached to a polynomial f(x) G Z[x], in one variable, 
with splitting field Q, and a prime number p. We also give an explicit estimate for 
its complexity (see algorithm Compute_Z(s, /) in section 2, and theorem 17. 

Many authors have found explicit formulas for Z(s,f), or H(f,t), for several 
classes of polynomials, among them |7], ^U], ^J, [^B] and the references 
therein], |24j . |25| . In all these works the computation of Z(s, f), or H(f, t), is 
reduced to the computation of other problems, as the computation of the number of 
solutions of polynomial equations with coefficients in a finite field. Currently, there 
is no polynomial time algorithm solving this problem |23], Moreover, none 

of the above mentioned works include complexity estimates for the computation of 
Igusa's local zeta functions. 

Of particular importance is Denef's explicit formula for Z(s, /), when / satisfies 
some generic conditions 6 . This formula involves the numerical data associated 
to a resolution of singularities of the divisor / = 0, and the number of rational 
points of certain non-singular varieties over finite fields. Thus the computation of 
Z(s,f), for a generic polynomial /, is reduced to the computation of the numer- 
ical data associated to a resolution of singularities of the divisor / = 0, and the 
number of solutions of non-singular polynomials over finite fields. Currently, it is 
unknown if these problems can be solved in polynomial time on a Turing machine. 
However, during the last few years important achievements have been obtained in 
the computation of resolution of singularities of polynomials 0], |2"T] . 

The computation of the Igusa local zeta function for an arbitrary polynomial 
seems to be an intractable problem on a Turing machine. For example, for p = 2, the 
computation of the number of solutions of a polynomial equation with coefficients 
in Z/2Z is an NP— complete problem on a Turing Machine !) page 251, problem 
AN9]. Then in the case of 2— adic numbers, the computation of the Igusa local 
zeta function is an NP— complete problem. 

Recently, Anshel and Goldfeld have shown the existence of a strong connection 
between the computation of zeta functions and cryptography 1,. Indeed, they 
proposed a new class of candidates for one-way functions based on global zeta 
functions. A one-way function is a function F such that for each x in the domain 
of F, it is easy to compute F(x); but for essentially all y in the range of F, it is 
an intractable problem to find an x such that y = F(x). These functions play a 
central role, from a practical and theoretical point of view, in modern cryptography. 
Currently, there is no guarantee that one-way functions exist even if P ^ NP. Most 
of the present candidates for one-way functions are constructed on the intractability 
of problems like integer factorization and discrete logarithms ^21- Recently, P. Shor 
has introduced a new approach to attack these problems (201 - Indeed, Shor have 
shown that on a quantum computer the integer factorization and discrete logarithm 
problems can be computed in polynomial time. 
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We set 

H = {H(t,f) I f(x) 6 Z[x], in one variable, with splitting field Q}, 

and N°° (Z) for the set of finite sequences of integers. For each positive integer u 
and a prime number p, we define 

F u , p : H -» N°°(Z) 

H(tJ) -> {iV (/,p),iVi (/,?),••• ,N u (f,p)}. 

Our second result asserts that F u p (H(t, /)) can be computed in polynomial 
time, for every /) in 7i (see theorem 18. It seems interesting to study the 
complexity on a Turing machine of the following problem: given a list of positive 
integers {ao, tzi, • ■ • , a u }, how difficult is it to determine whether or not there exists 
a Poincare series H(t, f) = J2m=o N m{f){p^ 1 t) m , such that a* = N. t (f), i = !,■■■, 
ut 

Currently, the author does not have any result about the complexity of the above 
problem, however the mappings F u p can be considered as new class of stream 
ciphers (see section 8). 

2. The Algorithm Compute_Z(s, /) 

In this section we present a polynomial time algorithm, Compute_Z(s, /), that 
solves the following problem: given a polynomial f(x) G Z[x], in one variable, 
whose splitting field is Q, find an explicit expression for the meromorphic contin- 
uation of Z(s, /). The algorithm is as follows. 

Algorithm Compute_Z(s, /) 

Input : A polynomial f(x) G Z[a;], in one variable, whose splitting field is Q. 
Output : A rational function of p~ s that is the meromorphic continuation 
oiZ(s,f). 

(1) Factorize f(x) in Q[x]: f(x) =a f[(x- a t ) e - E Q[x]. 

i=i 

(2) Compute 

_ J 1 + max{w p (ai - a 3 ) | i ^ j, 1 < i, j < r}, if r ^ 2; 
1 \ 1, if r = l. 

(3) Compute the p— adic expansions of the numbers a^, i = 1, 2, • • • , r modulo 

(4) Compute the tree T(f,lf) associated to f(x) and p (for the definition of 
T(J,l f ) see 

(5) Compute the generating function G(s,T(f,lf) 7 p) attached to T(f,lf) (for 
the definition of G(s,T(f, If), p) see Q5.1|l). 

(6) Return Z(s, f) = G(s,T(f,l f ),p). 

(7) End 

In section 6, we shall give a proof of the correctness and a complexity estimate 
for the algorithm Compute-^ (s, /). The first step in our algorithm is accomplished 
by means of the factoring algorithm by A.K. Lenstra, H. Lenstra and L. Lovasz 
[T7| . If df denotes the degree of f(x) = J2i a i x% i an d 
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then the mentioned factoring algorithm needs O (d^ + dy(log n / n)j arithmetic 
operations, and the integers on which these operations are performed each have a 
binary length O (d 3 + d^(log n / n)^ ^| theorem 3.6]. 

The steps 2, 3, 4, 5 reduce in polynomial time the computation of Z(s, /) to 
the computation of a factorization of f(x) over Q. This reduction is accomplished 
by constructing a weighted tree from the p— adic expansion of the roots of f(x) 
modulo a certain power of p (see section 4), and then associating a generating 
function to this tree (see section 5). Finally, we shall prove that the generating 
function constructed in this way coincides with the local zeta function of f(x) (see 
section 5). 

3. p-ADic Stationary Phase Formula 

Our main tool in the effective computing of Igusa's local zeta function of a 
polynomial in one variable will be the p— adic stationary phase formula, abbreviated 
SPF |16j . This formula is a recursive procedure for computing local zeta functions. 
By using this procedure it is possible to compute the local zeta functions for many 
classes of polynomials [ [!?)] and the references therein], JHj, E3 EH)- EH)- 

Given a polynomial f(x) S Z p [a;]\ p"L p [x], we denote by f(x) its reduction modulo 
pZ p , i.e., the polynomial obtained by reducing the coefficients of f(x) modulo pZ p . 
We define for each xq G Z p , 

fx (x) ^p-^ofixo +px), 

where e XQ is the minimum order of p in the coefficients of J{xq + px). Thus 
fx {x) <E ls p [x]\ pli P [x]. We shall call the polynomial fx (x) the dilatation of f(x) 
at xq. We also define 

1/(7) = Card{z e F p | J(z) + 0}, 

^(/) = Card{z s F p | ~z is a simple root of f(z) = 0}. 

We shall use {0, 1, • • • ,p— 1} CZ p as a set of representatives of the elements of 
F p = Z/ pZ = {0,1, • ■ • ,p _ T}. Let 5 = S(f) denote the subset of {0, 1, • • • ,p - 
1} C Z p which is mapped bijectively by the canonical homomorphism Z p — > Z p /pZ p 
to the set of roots of f(z) = with multiplicity greater than or equal to two. 

With all the above notation we are able to state the p— adic stationary phase 
formula for polynomials in one variable. 

Proposition 3.1 ([H theorem 10.2.1]). Let f(x) e Z p [x}\ p1 p [x] be a non-cons- 
tant polynomial. Then 

z(s,f) =p -V(7) + g(7) iLz£^l! +Y,p^ s 1 1 ki x ) \ s P dx. 

{ P > tes I 

The following example illustrates the use of the p— adic stationary phase formula, 
and also the basic aspects of our algorithm for computing Z(s, /). 

3.1. Example. Let f(x) = (x — a%)(x — ot2) 3 (x — ct3)(x — a4) 2 (x — as) be a 
polynomial such that ax, 0.1 , 03, 04 , a§ are integers having the following p— adic 
expansions: 

ax = a + dp + hp 2 , 
a 2 = a + dp + lp , 
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«3 = b + gp + mp 2 , 
oi4 = c + hp + np 2 , 
a 5 = c + hp + rp 2 , 

where the p-adic digits a, b, c, d, g, h, I, m, n, r belong to {0, 1, • • -,p — 1}. We 
assume the p-adic digits to be different by pairs. The local zeta function Z{s, /) 
will be computed by using SPF iteratively. 

By applying SPF with J(x) = (x -a) 4 (x -b)(x -c) 3 , v(f) = p-3, 6(f) = 1,S = 
{a,c}, f a (x) = p~ 4 f(a + px), and f c {%) = P~ 3 f(c + px), we obtain that 



1 -p- 1 - 3 



Z(s,f) = p- 1 ( P -3)+ K - F +p- 1 - 4s I \f a (x)\;\dx\ 

-l-3s 



(3.1) +P- L -" S \fc(x)\ s p \dx\. 

Jz p 

We apply SPF to the integrals involving f a (x) and f c {x) in i|3.1|) . First, we consider 
the integral corresponding to f a {x). Since f a (x) — (x — d) 4 (a — b)(a — c) 3 , S = {d}, 
fa,d{x) = p~ 4 f a (d + px), v(f a ) = p - 1, and 6(f a ) = 0, it follows from (f5~Tfl using 
SPF that 

1 — J3 1 * 
-2-8s / I /■ I j_ I Lm -X-3« 



(3.2) +p-^« s / I dx \ +p-^ s / |/ c (x)|; | dx \ 



Now, we apply SPF to the integral involving f c {x) in (|3.2|l . Since / c (x) = (c — 
a) 4 (c - - £) 3 , S = {h}, f c . h (x) = p- 3 f c (h + px), K7c) = p - 1, and <5(/c) = 0, 
it follows from l|3.2(l using SPF that 



1 -p- 1 - 

+p- 2 - BS I \fa.d(x)\ S p I dx | - IK 1 - 3 '' 



Z(s,f) = p- 1 ( P -3)+ K / ^ - +p- 1 (p-l)p- 1 - 4s 

1 — p 1 s 



(3-3) +p- z - bs / |/ Cl fc(a;)|; | 



By applying SPF to the integral involving f a ,d(x) in 13. 3D . with f a ,d(x) = (x — 

k)(x-~l) 3 (d-b)(d-c) 3 , S = {M}, /a,rf,fe(x) =p-_^fa,d{k + px), \fa A kW = \*\'p, 

fa,dd{x) =p~ 3 fa,d{ l +P x ), \ fa,d,i{ x )\p = Mp S > v {fa,d) = p - 2, and 5(/ tt ,d) = 1, we 
obtain that 



(1 -p-^p- 1 - 
1 -p" 1 " 6 



Z(s,f) = p- 1 (p-'S)+ K - F +p-\ p -l)p-i ^ 



+p-\p-l)p^+p-\p-2)p- 2 -*°+ {1 P^P~ 3 ~ 9S 



1 -p- 1 - 3 

-2-6s 
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Finally, by applying SPF to the integral involving f c ,h(x) in |H2}, we obtain that 

-p- r 
l-p- 



Z(s,f) = p-\p -3)+ { \ P ^ * +p-\p - l)p- 



+p-\p-l)p-^+p-\p-2)p-^+ {l irX)l ' 



l-p 



-1-s 



(1 - p-^p- 3 - 113 lf ^ 2 6s (1 - p- r )p- 3 - 7s 

(1 _ p -l )p -3-8 S 
( 3 ' 5 ) + l_ p -l-2 fl ' 

Remark 3.1. If a = f e Q, and v p (a) < 0, then 

(3.6) | x — a p =| a | p , for every x € Z p . 

On the other hand, a polynomial of the form 



f(x) = a Y[(x - cti) ei G Q[x], 



1=1 

can be decomposed as f(x) = a$ f _(x) f +{x) , where 

(3.7) f-(x) = Yl (x-a t ) ei , and f+(x)= [J (x - a t ) ei . 

From J[Hfy and tfFfy follow that 

Z(s,f)=\a J] ai e * \ s p Z(s,f+). 

{ai\v p ( ai )<Q} 

Thus, from a computational point of view, we may assume without loss of generality 
that all roots of f(x) arep—adic integers. 

4. Trees and p-adic Numbers 

The tree U = U(jp) of residue classes modulo powers of a given prime number p 
is defined as follows. Consider the diagram 

{0} = Z/p°Z cf) l Z/^Z cj> 2 7Llp 2r L <p 3 ■ ■ ■ 

where <f> l the are the natural homomorphisms. The vertices of U are the elements 
of Z/p z Z, for I = 0, 1, 2, • • •, and the directed edges are u — » v where u e Z/p'Z 
and <f>i{u) = v, for some I > 0. Thus U is a rooted tree with root {0}. Exactly one 
directed edge emanates from each vertex of U; except from the vertex {0}, from 
which no edge emanates. In addition, every vertex is the end point of exactly p 
directed edges. 

Given two vertices u, v the notation u > v will mean that there is a sequence 
of vertices and edges of the form 

u -» uW -> ► = v. 

The notation u ^ v will mean that u = v or u > v. The level l(u) of a vertex u 
is m if u £ 1/p m 1. The valence Val(u) of a vertex u is defined as the number of 
directed edges whose end point is u. 
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A subtree, or simply a tree, is denned as a nonempty subset T of vertices of U, 
such that when u e T and u > v, then v ET. Thus T together with the directed 
edges «-»d, where u, v £ T , is again a tree with root {0}. 

A tree T is named a weighted tree, if there exists a weight function W : T — > N. 
The value W(w) is called the weight of vertex u. 

If seZ p , and x; denotes its residue class modulo p l , then every vertex of U is 
of the type x/ with I G N. 

A staZfc is defined as a tree if having at most one vertex at each level. Thus a 
stalk is either finite, of the type 

{0}^k« < <—«<'>, 

or infinite, of the type 

{0} <— < . 

Clearly a finite stalk may be written as 

{0} < — xi* — ■■■ < — xi, 
with x € Z, and infinite stalks as 

{0} < — xi < — x 2 < — 

with x E Z p . Thus there is a 1 — 1 correspondence between infinite stalks and 
p— adic integers. 

4.1. Tree Attached to a Polynomial. Let 

r 

(4.1) /O) = «o Y[(x - cti) ei e Q[x] 

i=l 

be a non-constant polynomial, in one variable, of degree df, such that w p (ai) ^ 0, 
i = 1, 2, • • -, r. We associate to /(x) and a prime number p the integer 



| 1 + max{w p (ci! i - n y ) | / + j. 1 ' i.j ;./■}. if /■ 2: 

We set 



1, if r = l. 



a, = a ,i + oi,j p H h aj,j p J H h a //:i mod p //+1 , 

djj E {0, 1, • • -,p — 1}, j = 0, 1, • • ■, If, i = 1, 2, • • -, r, for the p— adic expansion 
modulo p l f +1 of aj. We attach a weighted tree T(f, If) to / as follows: 

r 

(4-2) W/.p) = T(f, If) = \jK(ai,lf), 

where K(ai,lf) denotes the stalk corresponding to the p— adic expansion of on 
modulo p l f +1 . Thus T(f, l f ) is a rooted tree. We introduce a weight function on 
T(f, If), by defining the weight of a vertex u of level m as 

C J2 e 2 , if to ^ 1; 

(4.3) W(u) = < {i| Qi =« modp™} 

[ 0, if m = 0. 

Given a vertex u € T(f,lf), we define the stalk generated by u to be 
B u = {veT(f,l f )\u^v}. 
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We associate a weight W*(B U ) to B u as follows: 

(4.4) W*(B U ) = W ( v )- 

4.2. Computation of Trees Attached to Polynomials. Our next step is to 
show that a tree T(f,lf) attached to a polynomial f(x), of type 1)4.1(1 . can be 
computed in polynomial time. There are well known programming techniques to 
construct and manipulate trees and forests (see e.g. [HI Volume 1]), for this reason, 
we shall focus on showing that such computations can be carry out in polynomial 
time, and set aside the implementation details of a particular algorithm for this 
task. We shall include in the computation of T(f,lt), the computation of the 
weights of the stalks generated by its vertices; because all these data will be used 
in the computation of the local zeta function of /. 

Proposition 4.1. The computation of a tree T(f,lf) attached to a polynomial 
f(x), of type \4-l\) , from the p—adic expansions modulo p lf+1 of its roots 

oti = a ,i + a M p H h ai ftl p lf mod p lf+1 

and multiplicities e,;, i — 1,2, ■■■,r, involves 0{l 2 j d^) arithmetic operations on 
integers with binary length 

0(max{logp,log(;/d/)}). 
Proof. We assume that T(f, If) is finite set of the form 

(4.5) T = {Levelo, • • ■ ,LeveL,, • • ■ ,Level //+1 }, 

where Level., represents the set of all vertices with level j. Each Level,- is a set of 
the form 

Level j — {"Uj^xi ■ ■ 'i^j^ii ' ' '3 ^j^mj }; 
and each Uj i is a weighted vertex for every i = 1,- • ^rrij. A weighted vertex Uj t i 
is a set of the form 

Uj ,i = { W( Uj ,i), Val{u 3 ,i),W*{B U] i )}, 

where W(uj_i) is the weight of Uj,i, Val(uj,i) is its valence, and W*(B U i) is the 
weight of stalk B Uj ( . The weight of the stalk generated by Ujj can be written as 

W*{B U] ^)= W ( v )- 

u£B„ . . 

For the computation of a vertex Uj t % of level j, we proceed as follows. We put 
J = {l,2,.-.,r}, and 

Mj = {a.i mod pP i G /}. 
For each < j < If + 1, we compute a partition of / of type 

h 

(4-6) I=\Jhu 

i=l 

such that 

at mod p 3 = a s mod p° , 
for every (,s 6 Each subset Ijj corresponds to a vertex Uj_i of level j. This 
computation requires 0(lfr 2 ) arithmetic operations on integers with binary length 
Oilogp). Indeed, the cost of computing a "yes or no" answer for the question: a t 
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mod p 1 — a s mod p°l is 0(j) comparisons of integers with binary length 0(\ogp). 
In the worst case, there are r vectors Mj, and the computation of partition Ij4.6|l . 
for a fixed j, involves the comparison of a t with ai for I = t + 1, t + 2, • • •, r. This 
computation requires 0(jr 2 ) arithmetic operations on integers with binary length 
0(\ogp). Since j ^ If + 1, the computation of partition l|4.6|) requires 0(7/r 2 ) 
arithmetic operations on integers with binary length O(logp). 
The weight of the vertex Uj.i is given by the expression 

keij.i 

Thus the computation of the weight of a vertex requires 0(r) additions of integers 
with binary length <3(logd/r). 

For the computation of the valence of Uj^, we proceed as follows. The valence 
of Uj t i can be expressed as 

Val(uj,i) = Cardj/j+i,; | C L } , t }, 

where runs through all possible sets that correspond to the vertices Uj+i,i, 

with level j + 1. Thus the computation of Val(u^ m ) involves the computation of a 
"yes or no" answer for the question C Ij^l The computation of a "yes or no" 

answer involves 0(r) comparisons of integers with binary length O(logr). There- 
fore the computation of Val(uj t i) involves 0(r) comparisons and 0(r) additions of 
integers with binary length O(logr). 

For the computation of the weight of B Uj ( , we observe that W* (B Uj i ) is given 
by the formula 

3-1 

where W(Ii.k) = W(v^k), and uj^ is the vertex corresponding to Thus the 
computation of W*(B U i ) involves 0(lf) additions of integers with binary length 
0(log(// df)), and 0(lf r) comparisons of integers with binary length O(logr). 

From the above reasoning follows that the computation of a vertex of a tree 
T(f,lf) involves at most 0(lf r 2 ) arithmetic operations (additions and compar- 
isons) on integers with binary length 0(max{logp, log( If df)}). Finally, since the 
number of vertices of T(f,lf) is at most 0{lf df), it follows that the computation 
of a tree of type T(f,lf) involves 0(l 2 dj) arithmetic operations on integers with 
binary length 0(max{logp, log( If df)}). | 



5. Generating Functions and Trees 



In this section we attach to a weighted tree T(/, If) and a prime p a generating 
function G(s,T(f,lf),p) G Q(p~ s ) defined as follows. 
We set 



M 



T(f,lf) 



ueT(fJf) 



W{u) = 1, and there no exists v € T(f,lf) 
with W(v) — 1, such that u > v. 



and 
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L u (p- S ) = { 



^gf^SSf^ , if l(u) = l + l f , and W{u) ^ 2; 

<p- l (p - Val{u))p- l ^- w '( B ^ s , if ^ Z(u) ^ //, and W(u) ^ 1; 
(l-p-i^-iW-""^) 



if 



0, if W(it) = 1, and u g Mr(f,i f )- 

With all the above notation, we define the generating function attached to 
T(f,lf) and p as 

(5.1) G(s,T(f,lf),p) = J2 L ^ S )- 

ueT(f,i f ) 

Our next goal is to show that G(s, T(f, l/),p) = Z(s, /). The proof of this fact 
requires the following preliminary result. 

Proposition 5.1. The generating function attached to a tree T(/, If) and a prime 
p satisfies 

G(s,T(f,l f ),p) = p-^(J) + 6(7) ^0^^ 

(5.2) +Y / p- 1 - e£S G(s 1 T(fs,l f ~l) lP ). 

Proof. Let A f = {u € T(f,l f ) \ l(u) = 1, W{u) = 1}, and B f = {u e T(f,l f ) \ 
l(u) = 1, W(u) ^ 2}. We have the following partition for T(f,lf) : 



T(f,lf) = {0}\jA f \J\ (J T u 



(5.3) 
with 

T u = {veT(f,l f ) \v^u}. 
Each T u is a rooted tree with root {u}. From partition l|5.3|) and the definition of 
G(s,T(f,l f ),p), it follows that 

G(s,T(f,l f ),p) = p- 1 (p - Val({0})) + Cardl^} (1 ~ P _ ^ ' + 

(5.4) £ G ( S ' T «)' 

with G{s,T u )= J2 L v {p- S ). 

Since there exists a bijective correspondence between the roots of f(x) = mod 
p and the vertices of T(f,lf) with level 1, 

(5.5) p - Val({0}) = i/(7), and Card{^/} = 

Now, if the vertex u corresponds to the root /(£) = mod p, then 



(5.6) 



/„ | (J %,l/)|\{0}. 

{aj|cKi=£ mod p} 
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On the other hand, we have that 

(5.7) T(f c ,l f -l)= |J K {^,l f -1). 

{ai\oci=£ mod p} ; 

Now we remark that the map oti — > ai ~^ induces a isomorphism between the trees 
T u and T(f^,lf — 1), that preserves the weights of the vertices; and thus we may 
suppose that T u = T(f^,lf — 1). The level function l T of T(f^,lf — 1) is related to 
the level function lx u of T u by means of the equality It —It u = — 1- In addition, 
Bf = S, where S is the subset of {0, 1, • • -,p — 1} C Z p whose reduction modulo 
pZ p is equal to the set of roots of /(£) = with multiplicity greater or equal than 
two. Therefore, it holds that 

(5.8) G(s, T u ) = p-^Gis, T(/ c , If - l),p). 
The result follows from (|5.4|l by the identities l|5.5[> and l|5.8ll . | 

Lemma 5.1. Let p be a fixed prime number and v p the corresponding p—adic 
valuation, and 



/(*) = a Y[(x - ai ) e > €Q[x]\Q, 



i=l 

a polynomial such that v p (ai) ^ 0, for i = 1, • • • , r. Then 

Z(s,f) = G(s,T(f,l f ),p). 

Proof. We proceed by induction on If. 
Case If = 1 

If r = 1 the proof follows immediately, thus we may assume that r ^ 2. Since 
If = 1, it holds that v p (cti — ay) = 0, for every i, j, satisfying i ^ j, and thus 
7x1 Wj, if i =/= j. By applying SPF, we have that 

(5.9) z is , f) = p-M7) + s(7) { \; P S^ S + Ep-^ ^i'i,, . 

where each = ^ 2, for some j, and ay — £ + pPj- 

On the other hand, T(f,lf) is a rooted tree with r vertices Vj, satisfying 
l(vj) = 1, and W(vj) — ej, for j — 1, • ■ • , r. These observations allow one to 
deduce that Z(s, /) = G(s,T(f,l/),p). 

By induction hypothesis, we may assume that Z(s,f) = G(s 1 T(f,lf),p) 1 for 
every polynomial / satisfying both the hypothesis of the lemma, and the condition 
1 ^ If ^ k, k e N. 

Case If = k + 1, k 6 N 

Let /(x) be a polynomial satisfying the lemma's hypothesis, and If = k + 1, 
fe ^ 1. By applying SPF, we obtain that 

(5.10) Z(sJ)=p- 1 v(7)+5(7) i \~ P ~ 1 }C s ^ +Y,P^ S I \f&)\ldx. 

Now, since If. — If — 1, for every £ 6 S 1 , it follows from the induction hypothesis 
applied to each f$(x) in (|5.10(1 . that 

(5.11) z( S , f) = p-^a)+s(f) (i ~5 D -fr!r +Ep"^ egsG ( s ' nft,if-v, 
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Finally, from identity l|5.2(l . and (|5.11|1 . we conclude that 
(5.12) Z(sJ) = G(s,T(f > l f ),p). 

I 

The following proposition gives a complexity estimate for the computation of 
G(s,T(f,l f ),p). 

Proposition 5.2. The computation of the generating function 

G(s,T(f,l f ),p) 

fromT(f,lf), involves 0(lf df) arithmetic operations on integers with binary length 
0(max{logp, log( If d f )}). 

Proof. This is a consequence of proposition 14.11 and the definition of generating 
function. | 

6. Computation of p-adic Expansions 

In this section we estimate the complexity of the steps 2 and 3 in the algorithm 
Compute_Z(s, /). 

Proposition 6.1. Let 

B = max { | Cj.i | , | dj,i | | ctj — cti = Cj ti , d hl G Z \ {0}}. 
1 < i, j < r dj,i 

i J 

The computation of the integer If involves 0(d 2 r ) arithmetic operations on 
integers with binary length 0(max{logi?, logp}). 

Proof. First, we observe that for c e Z \ {0}, the computation of v p (c) involves 
divisions of integers of binary length 0(max{log c |, logp}). Thus the 
computation of i> P (§) = v p (c) — v p (d), involves Q( max { lo gH^ lQ gl d l} ) divisions and 
subtractions of integers with binary length 

0(max{log | c |, log | d \,\ogp}). 

From these observations follow that the computation of v p (ctj — oti), i ^ j, 1 < i, 
j < r, involves 0(r 2 ) arithmetic operations on integers with binary length 
0(max{logi?, logp}). Finally, the computation of the maximum of the v p (otj — 
a i)i i 7^ 3i 1 < h i < r i involves O(logr) comparisons of integers with bi- 
nary length 0(max{logS, logp}). Therefore the computation of the integer If 
involves at most 0{d 2 j°gp ) arithmetic operations on integers with binary length 
0(max{logi?, logp}). | 

Proposition 6.2. Let p be a fixed prime and 7 = f G Q, with c, b £ Z \ {0}, and 
v p(l) = 0. The p—adic expansion 

7 = a a + ax p H h a J p j H h a m p m , 

modulo p m+l involves 0(m + log(max{| b , p})) arithmetic operations on integers 
with binary length 0(max{log | c | , log | b |,logf>}). 
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Proof. Let y G {1, • • • ,p — 1} be an integer such that yb = 1 mod p. This integer 
can be computed by means of the Euclidean algorithm in 0(log(max{| b \,p})) 
arithmetic operations involving integers of binary length (9(max{log | b |,logp}) 
(cf. Volume 2, section 4.5.2]). 

We set 7 = 7o = f ) Co = c, and define oq = yc mod p. With this notation, the 
p— adic digits a$, i = 1,- • • , m, can be computed recursively as follows: 

p _ Ci 

ll ~ b = T' 

a t = ya mod p. 

Thus the computation of the p— adic expansion of 7 needs 0(m+log(max{ b\,p})) 
arithmetic operations on integers with binary length 

0(max{log I c I, log | b |, logp}). 

I 

Corollary 6.1. Let p be a fixed prime number and v p the corresponding p—adic 
valuation, and 

T 

f(x) =a l[(x-a i r 6Q[4 

i=l 

a non-constant polynomial such that v p (ai) ^0, i = 1, • • • , r. TTie computation of 
the p—adic expansions modulo p lf+1 of the roots on, i = 1,2, • • • ,r, of f{x) involves 
0(df lf + df log(max{i?,p})) arithmetic operations on integers with binary length 
0(max{log-B, logp}). 

Proof. The corollary follows directly from the two previous propositions. | 

7. Computing local zeta functions of polynomials with splitting Q 

In this section we prove the correctness of the algorithm Compute_Z(s, /) and 
estimate its complexity. 

Theorem 7.1. The algorithm Compute-Z(s, f) outputs the meromorphic contin- 
uation of the Igusa local zeta function Z(s, f) of a polynomial f{x) S in one 
variable, with splitting field Q. The number of arithmetic operations needed by the 
algorithm is 

O (4 + 4 log(n / 11) + l}d) + d) log (max{B,p})) , 
and the integers on which these operations are performed have a binary length 

O (max{logp, logl/df, \ogB, d) + d) log(n / 11)}) . 
Proof. By remark (I3.1J1 , we may assume without loss of generality that 

r 

f{x) = a l[(x-a i ) ei £®[x]\Q, 

i=l 

with v p (ai) ^ 0, i = 1, • • • , r. The correctness of the algorithm follows from lemma 
15.11 The complexity estimates are obtained as follows: the number of arithmetic 
operations needed in the steps 2 (cf. proposition l6.1|l . 3 (cf. corollary 16. 1(1 . 4 (cf. 
proposition 14.1(1 . 5 ( proposition 15. 2J1 . and 6 is at most 

0{l)d) + d) log (max{B,p})) ; 
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and these operations are performed on integers whose binary length is at most 

0(max{logp, logZ / df, log B}) . 

The estimates for the whole algorithm follow from the above estimates and those of 
the factoring algorithm by A. K. Lenstra, H. Lenstra and L. Lovasz (see theorem 
3.6 of 17 ). | 

8. Stream Ciphers and Poincare series 

There is a natural connection between Poincare series and stream ciphers. In 
order to explain this relation, we recall some basic facts about stream ciphers |18|. 
Let F p n be a finite field with p n elements, with p a prime number. For any integer 
r > and r fixed elements qi £ F p n, i = 1, • • •, r (called taps), a Linear Feedback 
Shift Register, abbreviated LFSR, of length r consists of r cells with initial contents 
{aj G Fpn | i = 1, • • •, r}. For any n ^ r, if the current state is (a„_i, • • •, a„_ r ), then 
a„ is determined by the linear recurrence relation 

r 
i=l 

The device outputs the rightmost element a n _ r , shifts all the cells one unit right, 
and feeds a n back to the leftmost cell. 

Any configuration of the r cells forms a state of the LSFR. If q r ^ 0, the 
following polynomial q(x) G F p >. [x] of degree r appears in the analysis of LFSRs: 

q(x) = q + q\x + •••. + q r x r with q = -1. 

This polynomial is called the connection polynomial. An infinite sequence A = 
{a,i G F p n | i G N} has period T if for any i ^ 0, a.i + T = a^. Such a sequence 
is called periodic. If this is only true for i greater than some index i , then the 
sequence is called eventually periodic. The following facts about an LFSR of length 
r are well-known |18) . 

(1) There are only finitely many possible states, and the state with all the cells 
zero will produce a 0— sequence. The output sequence is eventually periodic 
and the maximal period is p nr — 1. 

oo 

(2) The Poincare series g(x) = ^ aix 1 associated with the output sequence 

i=0 

is called the generating function of the sequence. It is a rational function 
over F p „ of the form g{x) = ^|), with L(x), R{X) G W p n[x], deg(R(X)) < 
r. The output sequence is strictly periodic if and only if deg(L(X)) < 
deg{R{X)). 

(3) There is a one-to-one correspondence between LFSRs of length r with q r ^ 
and rational functions with deg(R(X)) — r and deg(L(X)) < r. 

We set F p n (a;) for the field of rational functions over F p ™ , and N °° (F p ™ ) for the 
set of sequences of the form {bo, ■ ■ b u }, bi G F p ™, < i < u, u G N. From the 
above considerations, it is possible to identify an LFSR with a function F u , u G N, 
defined as follows: 

F u : ¥ pn (x) -> N°°(F pn ) 

( 8-1 ) a i xl -* i a 0i '••>»»}• 

i=0 
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We set 

H = {H(t,f) | f(x) G Z[x], in one variable, with splitting field Q}, 

and iV°° (Z) for the set of finite sequences of integers. Also, for each u G N, and 
a prime number p, we define 

,o 9 s Fu, P : H - N°°(Z) 

[ ' H(t,f) - {N (f,p),N 1 (f,p),--;N u (f,p)}. 

Thus the mappings F u ^ p can be seen as LFSRs, or stream ciphers, over Z. If we 
replace each N u (f,p) by its binary representation, then the F U;P are LFSRs. For 
practical purposes it is necessary that F„ jP can be computed efficiently, i.e., in 
polynomial time. With the above notation our second result is the following. 

Theorem 8.1. For every H(t, /) G H, the computation of F u ^ p (H(t, /)) involves 
0(u 2 dflf) arithmetic operations, and the integers on which these operations are 
performed have binary length 

0(max{ (l f +u)logp, log(d/Z/)}). 

The proof of this theorem will be given at the end of this section. This proof 
requires some preliminary results. We set t = q~ s , and 



Z(s,f) = Z(t,f)=J2c m (f,p)t m , 



m=0 

with c m (f,p) = vol({x G Zp I v p (f(x)) = to}). 

Proposition 8.1. Let f(x) G Z[x] \ Z be a polynomial in one variable and p a 
prime number. The following formula holds for N n (f,p): 



(8.3) N n (f,p) 



1, if n = 0; 

P n U~ £cj-i(f,p)j , if n>l. 



Proof. The result follows by comparing the coefficient of t n of the series 

a„d 

n 

in the following equality : 



p" 

n=Q r n=0 



(oo 
E Cm{f,P)t n , 
«^^ = z.-=s-* = ^ ^ = £^ n - 

n=0 ^ ra=0 
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We associate to each u € T(f,lf), and j £ N, a rational integer a,j(u) defined as 
follows: 



(8.4) 



(p- 1 ) if 



(p-Val(u)) .r 



(p-1) 



l(u)+l+»(u) : 



if 



if 



I 0, 



l(u) = l + l f , W{u) ^ 2, j = VK*(£? U ) + y(u)W(u), 
for some y(u) G N; 

0^/(«)^Z/, W(u) ^ 1, i = 

u e M TWf) ,j = W*(B U ) + y(u), 
for some y{u) E N; 

W(u) = 1, and u £ M T {f,i f )\ 

in other cases. 



Proposition 8.2. Let f(x) 6 Z[x]\Z fee a polynomial in one variable, with splitting 
field Q, and p a prime number. The following formula holds: 



(8.5) 



Proof. As a consequence of lemma (15. Ill , we have the following identity: 
(8.6) 



with 



• 7) L„(t) = ^ 



z(tj)= Yl L «(*)> 



' ^feggg^ , if i( u ) = 1 + £ 2; 

lE-^i^'fBu), if o ^ ^ Z,, W(u) + 1; 



(P-I)t w '< fl "> : f 
pi(«)+i(l-p-it) ' 



W(u) = 1, and u ^ Mr(f,i f )- 



0, if 

The result follows by comparing the coefficient of P in the series Z(t, /) = 

OO 

E c m (f,p)t m , and Z(t,f) = E £«(*)•■ 

m=0 ueT(f,l f ) 

Proposition 8.3. Lei /(x) €E Z[x]\Z fee a polynomial in one variable, with splitting 
field Q, and p a prime number. 

(1) The computation of N n (f,p), n ^ 1, from the Cj_i(/,p), j = 1, • • -,n, m- 
volves 0(n) arithmetic operations on integers with binary length 0(n\ogp). 

(2) The computation of Cj(f,p), j ^ 0, from Z(t,f), involves 0(dflf) 
arithmetic operations on integers with binary length 



0(max{(j + l f )\ogp,logp,log(dflf)}). 
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(3) The computation of any N n (f,p), from Z(t,f), involves 0(ndflf) 

arithmetic operations on integers with binary length 

0(max{(n + l f ) \ogp, log(d/Z/)}). 

Proof. (1) By fgl} and Cj(/,p) = -Sj, Wj,m,j G N. In addition, 

Cj-x{f,p) =p- j+1 N j . 1 (f > p) -p-tNj&p). 

Thus p n Cj-i(f,p) € N, for j = 1, • • •, n, and rrij < n, for j = 1, • • •, n. From 1)8. 3)1 . 
it follows that 

(8.8) N n (f,p)=p n -J2p n Cj-i(f,P), n>l- 

3 = 1 

The above formula implies that the computation of N n (f,p), n ^ 1, from the 
Cj-x(f,p), j — 1, •••,n, involves 0(n) arithmetic operations on integers with 
binary length O (n log p) . 

(2) The computation of aj(u) from L u (t) (i.e. from Z(t,f), cf. l)8.6|) 'l in- 
volves O(l) arithmetic operations (cf. (|8.4|) . (18. 71) ) on integers of binary length 
0(max{logp, \og(dflf)}). Indeed, since the numbers l(u), W*{B U ), W(u), u £ 
T(f,lf) are involved in this computation, we know by proposition 14.11 that their 
binary length is bounded by 0(max{logp, log(d///)}). 

The cost of computing Cj(f,p) from L u (t), u € T(f,lf) (i.e. from Z(t,f)) is 
bounded by the number of vertices of T(f,lf) multiplied by an upper bound for 
the cost of computing a,j(u) from L u (t), for any j, and u (cf. 1)8.5)) ). Therefore, 
from the previous discussion the cost of computing Cj(f,p) from Z(t, f) is bounded 
by 0(df If) arithmetic operations. These arithmetic operations are performed 
on integers of binary length bounded by 0(max{(j + If) logp,logp, log(df ?/)}). 
Indeed, the binary lengths of the numerator and the denominator of aj(u) + aj(u ), 
u, u e T(f,lf) are bounded by (If + 1 +j)logp (cf. H8.4[) l Thus, the mentioned 
arithmetic operations for calculating Cj(f,p) from L u (t) are performed on integers 
whose binary length is bounded by 0(max{(j + If) \ogp, \ogp, log(dflf)}). 

(3) The third part follows the first and second parts by 1)8.8(1 . | 

8.1. Proof of Theorem 18.11 The theorem follows from proposition ^. 31 (3). 
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